@scriptmasterlabs/mcp-x402 2.1.1 → 2.1.2

package/dist/server/security/acl.d.ts

@@ -0,0 +1,28 @@
+import { z } from 'zod';
+export declare const ToolACLSchema: z.ZodObject<{
+    toolName: z.ZodString;
+    walletAddress: z.ZodOptional<z.ZodString>;
+    creditScore: z.ZodOptional<z.ZodNumber>;
+    paidTier: z.ZodDefault<z.ZodBoolean>;
+}, "strip", z.ZodTypeAny, {
+    toolName: string;
+    paidTier: boolean;
+    walletAddress?: string | undefined;
+    creditScore?: number | undefined;
+}, {
+    toolName: string;
+    walletAddress?: string | undefined;
+    creditScore?: number | undefined;
+    paidTier?: boolean | undefined;
+}>;
+export type ToolACL = z.infer<typeof ToolACLSchema>;
+export declare class ACL {
+    private static instance;
+    private constructor();
+    static getInstance(): ACL;
+    isFree(toolName: string): boolean;
+    requiresPayment(toolName: string): boolean;
+    requiresAP2(toolName: string): boolean;
+    minCreditScore(_toolName: string): number;
+}
+//# sourceMappingURL=acl.d.ts.map

package/dist/server/security/acl.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"acl.d.ts","sourceRoot":"","sources":["../../../src/server/security/acl.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,eAAO,MAAM,aAAa;;;;;;;;;;;;;;;EAKxB,CAAC;AAEH,MAAM,MAAM,OAAO,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,aAAa,CAAC,CAAC;AAIpD,qBAAa,GAAG;IACd,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAM;IAE7B,OAAO;IAEP,MAAM,CAAC,WAAW,IAAI,GAAG;IAOzB,MAAM,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO;IAIjC,eAAe,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO;IAI1C,WAAW,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO;IAKtC,cAAc,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM;CAG1C"}

package/dist/server/security/acl.js

@@ -0,0 +1,36 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ACL = exports.ToolACLSchema = void 0;
+const zod_1 = require("zod");
+exports.ToolACLSchema = zod_1.z.object({
+    toolName: zod_1.z.string(),
+    walletAddress: zod_1.z.string().optional(),
+    creditScore: zod_1.z.number().optional(),
+    paidTier: zod_1.z.boolean().default(false),
+});
+const FREE_TOOLS = new Set(['ftd_threshold_scan_alerts', 'nexus_agent_hire_query']);
+class ACL {
+    static instance;
+    constructor() { }
+    static getInstance() {
+        if (!ACL.instance) {
+            ACL.instance = new ACL();
+        }
+        return ACL.instance;
+    }
+    isFree(toolName) {
+        return FREE_TOOLS.has(toolName);
+    }
+    requiresPayment(toolName) {
+        return !this.isFree(toolName);
+    }
+    requiresAP2(toolName) {
+        // leviathan, xmit, xdeo require AP2 per spec
+        return ['leviathan_signal', 'xmit_edgar_decode', 'xdeo_earnings_estimate'].includes(toolName);
+    }
+    minCreditScore(_toolName) {
+        return 300;
+    }
+}
+exports.ACL = ACL;
+//# sourceMappingURL=acl.js.map

package/dist/server/security/acl.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"acl.js","sourceRoot":"","sources":["../../../src/server/security/acl.ts"],"names":[],"mappings":";;;AAAA,6BAAwB;AAEX,QAAA,aAAa,GAAG,OAAC,CAAC,MAAM,CAAC;IACpC,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE;IACpB,aAAa,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACpC,WAAW,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAClC,QAAQ,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;CACrC,CAAC,CAAC;AAIH,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,CAAC,2BAA2B,EAAE,wBAAwB,CAAC,CAAC,CAAC;AAEpF,MAAa,GAAG;IACN,MAAM,CAAC,QAAQ,CAAM;IAE7B,gBAAuB,CAAC;IAExB,MAAM,CAAC,WAAW;QAChB,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC;YAClB,GAAG,CAAC,QAAQ,GAAG,IAAI,GAAG,EAAE,CAAC;QAC3B,CAAC;QACD,OAAO,GAAG,CAAC,QAAQ,CAAC;IACtB,CAAC;IAED,MAAM,CAAC,QAAgB;QACrB,OAAO,UAAU,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IAClC,CAAC;IAED,eAAe,CAAC,QAAgB;QAC9B,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IAChC,CAAC;IAED,WAAW,CAAC,QAAgB;QAC1B,6CAA6C;QAC7C,OAAO,CAAC,kBAAkB,EAAE,mBAAmB,EAAE,wBAAwB,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAChG,CAAC;IAED,cAAc,CAAC,SAAiB;QAC9B,OAAO,GAAG,CAAC;IACb,CAAC;CACF;AA5BD,kBA4BC"}

package/dist/server/security/audit.d.ts

@@ -0,0 +1,15 @@
+export declare class AuditLogger {
+    private static instance;
+    private seq;
+    private prevHash;
+    private readonly logPath;
+    private readonly hmacSecret;
+    private constructor();
+    static getInstance(): AuditLogger;
+    private log;
+    private redact;
+    info(event: string, data?: Record<string, unknown>): void;
+    warn(event: string, data?: Record<string, unknown>): void;
+    error(event: string, data?: Record<string, unknown>): void;
+}
+//# sourceMappingURL=audit.d.ts.map

package/dist/server/security/audit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit.d.ts","sourceRoot":"","sources":["../../../src/server/security/audit.ts"],"names":[],"mappings":"AAiBA,qBAAa,WAAW;IACtB,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAc;IACrC,OAAO,CAAC,GAAG,CAAK;IAChB,OAAO,CAAC,QAAQ,CAAsE;IACtF,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;IACjC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAS;IAEpC,OAAO;IAKP,MAAM,CAAC,WAAW,IAAI,WAAW;IAOjC,OAAO,CAAC,GAAG;IA8BX,OAAO,CAAC,MAAM;IAgBd,IAAI,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,GAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAM,GAAG,IAAI;IAI7D,IAAI,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,GAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAM,GAAG,IAAI;IAI7D,KAAK,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,GAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAM,GAAG,IAAI;CAG/D"}

package/dist/server/security/audit.js

@@ -0,0 +1,77 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuditLogger = void 0;
+const crypto_1 = require("crypto");
+const fs_1 = require("fs");
+// Append-only SHA-256 chained audit log (N5)
+// Each entry includes the hash of the previous entry — tampering breaks the chain.
+class AuditLogger {
+    static instance;
+    seq = 0;
+    prevHash = '0000000000000000000000000000000000000000000000000000000000000000';
+    logPath;
+    hmacSecret;
+    constructor() {
+        this.logPath = process.env['AUDIT_LOG_PATH'] ?? './audit.log';
+        this.hmacSecret = process.env['AUDIT_HMAC_SECRET'] ?? 'mcp-x402-audit-secret';
+    }
+    static getInstance() {
+        if (!AuditLogger.instance) {
+            AuditLogger.instance = new AuditLogger();
+        }
+        return AuditLogger.instance;
+    }
+    log(level, event, data) {
+        const seq = ++this.seq;
+        const ts = Date.now();
+        // Redact PII (N3): hash wallet addresses, never log raw filing content
+        const safeData = this.redact(data);
+        const payload = JSON.stringify({ seq, ts, level, event, data: safeData, prev_hash: this.prevHash });
+        const hash = (0, crypto_1.createHmac)('sha256', this.hmacSecret).update(payload).digest('hex');
+        const entry = {
+            seq,
+            ts,
+            level,
+            event,
+            data: safeData,
+            prev_hash: this.prevHash,
+            hash,
+        };
+        this.prevHash = hash;
+        try {
+            (0, fs_1.appendFileSync)(this.logPath, JSON.stringify(entry) + '\n', 'utf8');
+        }
+        catch {
+            // If log write fails, emit to stderr but don't crash
+            process.stderr.write(`[audit-fail] ${JSON.stringify(entry)}\n`);
+        }
+    }
+    redact(data) {
+        const out = {};
+        for (const [k, v] of Object.entries(data)) {
+            if (k === 'wallet' || k === 'address') {
+                // Hash wallet addresses (N3)
+                out[k] = (0, crypto_1.createHash)('sha256').update(String(v)).digest('hex').slice(0, 16) + '...';
+            }
+            else if (k === 'content' || k === 'raw_text' || k === 'filing') {
+                // Never log raw filing data (N3)
+                out[k] = '[REDACTED]';
+            }
+            else {
+                out[k] = v;
+            }
+        }
+        return out;
+    }
+    info(event, data = {}) {
+        this.log('info', event, data);
+    }
+    warn(event, data = {}) {
+        this.log('warn', event, data);
+    }
+    error(event, data = {}) {
+        this.log('error', event, data);
+    }
+}
+exports.AuditLogger = AuditLogger;
+//# sourceMappingURL=audit.js.map

package/dist/server/security/audit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit.js","sourceRoot":"","sources":["../../../src/server/security/audit.ts"],"names":[],"mappings":";;;AAAA,mCAAgD;AAChD,2BAAoC;AAcpC,6CAA6C;AAC7C,mFAAmF;AACnF,MAAa,WAAW;IACd,MAAM,CAAC,QAAQ,CAAc;IAC7B,GAAG,GAAG,CAAC,CAAC;IACR,QAAQ,GAAG,kEAAkE,CAAC;IACrE,OAAO,CAAS;IAChB,UAAU,CAAS;IAEpC;QACE,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,IAAI,aAAa,CAAC;QAC9D,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,IAAI,uBAAuB,CAAC;IAChF,CAAC;IAED,MAAM,CAAC,WAAW;QAChB,IAAI,CAAC,WAAW,CAAC,QAAQ,EAAE,CAAC;YAC1B,WAAW,CAAC,QAAQ,GAAG,IAAI,WAAW,EAAE,CAAC;QAC3C,CAAC;QACD,OAAO,WAAW,CAAC,QAAQ,CAAC;IAC9B,CAAC;IAEO,GAAG,CAAC,KAAe,EAAE,KAAa,EAAE,IAA6B;QACvE,MAAM,GAAG,GAAG,EAAE,IAAI,CAAC,GAAG,CAAC;QACvB,MAAM,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAEtB,uEAAuE;QACvE,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QAEnC,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,QAAQ,EAAE,SAAS,EAAE,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC;QACpG,MAAM,IAAI,GAAG,IAAA,mBAAU,EAAC,QAAQ,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAEjF,MAAM,KAAK,GAAa;YACtB,GAAG;YACH,EAAE;YACF,KAAK;YACL,KAAK;YACL,IAAI,EAAE,QAAQ;YACd,SAAS,EAAE,IAAI,CAAC,QAAQ;YACxB,IAAI;SACL,CAAC;QAEF,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC;QAErB,IAAI,CAAC;YACH,IAAA,mBAAc,EAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,GAAG,IAAI,EAAE,MAAM,CAAC,CAAC;QACrE,CAAC;QAAC,MAAM,CAAC;YACP,qDAAqD;YACrD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,gBAAgB,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAClE,CAAC;IACH,CAAC;IAEO,MAAM,CAAC,IAA6B;QAC1C,MAAM,GAAG,GAA4B,EAAE,CAAC;QACxC,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;YAC1C,IAAI,CAAC,KAAK,QAAQ,IAAI,CAAC,KAAK,SAAS,EAAE,CAAC;gBACtC,6BAA6B;gBAC7B,GAAG,CAAC,CAAC,CAAC,GAAG,IAAA,mBAAU,EAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,KAAK,CAAC;YACrF,CAAC;iBAAM,IAAI,CAAC,KAAK,SAAS,IAAI,CAAC,KAAK,UAAU,IAAI,CAAC,KAAK,QAAQ,EAAE,CAAC;gBACjE,iCAAiC;gBACjC,GAAG,CAAC,CAAC,CAAC,GAAG,YAAY,CAAC;YACxB,CAAC;iBAAM,CAAC;gBACN,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;YACb,CAAC;QACH,CAAC;QACD,OAAO,GAAG,CAAC;IACb,CAAC;IAED,IAAI,CAAC,KAAa,EAAE,OAAgC,EAAE;QACpD,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,KAAK,EAAE,IAAI,CAAC,CAAC;IAChC,CAAC;IAED,IAAI,CAAC,KAAa,EAAE,OAAgC,EAAE;QACpD,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,KAAK,EAAE,IAAI,CAAC,CAAC;IAChC,CAAC;IAED,KAAK,CAAC,KAAa,EAAE,OAAgC,EAAE;QACrD,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,EAAE,IAAI,CAAC,CAAC;IACjC,CAAC;CACF;AA5ED,kCA4EC"}

package/dist/server/security/rate-limit.d.ts

@@ -0,0 +1,12 @@
+export declare class RateLimiter {
+    private static instance;
+    private readonly toolBuckets;
+    private readonly walletBuckets;
+    private readonly ipBuckets;
+    private constructor();
+    static getInstance(): RateLimiter;
+    checkTool(toolName: string): boolean;
+    checkWallet(wallet: string): boolean;
+    checkIp(ip: string): boolean;
+}
+//# sourceMappingURL=rate-limit.d.ts.map

package/dist/server/security/rate-limit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rate-limit.d.ts","sourceRoot":"","sources":["../../../src/server/security/rate-limit.ts"],"names":[],"mappings":"AAaA,qBAAa,WAAW;IACtB,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAc;IACrC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAkC;IAC9D,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAkC;IAChE,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAyD;IAEnF,OAAO;IAEP,MAAM,CAAC,WAAW,IAAI,WAAW;IAOjC,SAAS,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO;IAqBpC,WAAW,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO;IAqBpC,OAAO,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO;CAa7B"}

package/dist/server/security/rate-limit.js

@@ -0,0 +1,72 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RateLimiter = void 0;
+const PER_TOOL_MINUTE_LIMIT = 100;
+const PER_WALLET_DAY_LIMIT = 1000;
+const IP_MINUTE_LIMIT = 200;
+function nowMs() {
+    return Date.now();
+}
+class RateLimiter {
+    static instance;
+    toolBuckets = new Map();
+    walletBuckets = new Map();
+    ipBuckets = new Map();
+    constructor() { }
+    static getInstance() {
+        if (!RateLimiter.instance) {
+            RateLimiter.instance = new RateLimiter();
+        }
+        return RateLimiter.instance;
+    }
+    checkTool(toolName) {
+        const now = nowMs();
+        let bucket = this.toolBuckets.get(toolName);
+        if (!bucket) {
+            bucket = {
+                minute: { count: 0, resetAt: now + 60_000 },
+                day: { count: 0, resetAt: now + 86_400_000 },
+            };
+            this.toolBuckets.set(toolName, bucket);
+        }
+        if (now > bucket.minute.resetAt) {
+            bucket.minute = { count: 0, resetAt: now + 60_000 };
+        }
+        if (bucket.minute.count >= PER_TOOL_MINUTE_LIMIT)
+            return false;
+        bucket.minute.count++;
+        return true;
+    }
+    checkWallet(wallet) {
+        const now = nowMs();
+        let bucket = this.walletBuckets.get(wallet);
+        if (!bucket) {
+            bucket = {
+                minute: { count: 0, resetAt: now + 60_000 },
+                day: { count: 0, resetAt: now + 86_400_000 },
+            };
+            this.walletBuckets.set(wallet, bucket);
+        }
+        if (now > bucket.day.resetAt) {
+            bucket.day = { count: 0, resetAt: now + 86_400_000 };
+        }
+        if (bucket.day.count >= PER_WALLET_DAY_LIMIT)
+            return false;
+        bucket.day.count++;
+        return true;
+    }
+    checkIp(ip) {
+        const now = nowMs();
+        let entry = this.ipBuckets.get(ip);
+        if (!entry || now > entry.resetAt) {
+            entry = { count: 0, resetAt: now + 60_000 };
+            this.ipBuckets.set(ip, entry);
+        }
+        if (entry.count >= IP_MINUTE_LIMIT)
+            return false;
+        entry.count++;
+        return true;
+    }
+}
+exports.RateLimiter = RateLimiter;
+//# sourceMappingURL=rate-limit.js.map

package/dist/server/security/rate-limit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rate-limit.js","sourceRoot":"","sources":["../../../src/server/security/rate-limit.ts"],"names":[],"mappings":";;;AAKA,MAAM,qBAAqB,GAAG,GAAG,CAAC;AAClC,MAAM,oBAAoB,GAAG,IAAI,CAAC;AAClC,MAAM,eAAe,GAAG,GAAG,CAAC;AAE5B,SAAS,KAAK;IACZ,OAAO,IAAI,CAAC,GAAG,EAAE,CAAC;AACpB,CAAC;AAED,MAAa,WAAW;IACd,MAAM,CAAC,QAAQ,CAAc;IACpB,WAAW,GAAG,IAAI,GAAG,EAAuB,CAAC;IAC7C,aAAa,GAAG,IAAI,GAAG,EAAuB,CAAC;IAC/C,SAAS,GAAG,IAAI,GAAG,EAA8C,CAAC;IAEnF,gBAAuB,CAAC;IAExB,MAAM,CAAC,WAAW;QAChB,IAAI,CAAC,WAAW,CAAC,QAAQ,EAAE,CAAC;YAC1B,WAAW,CAAC,QAAQ,GAAG,IAAI,WAAW,EAAE,CAAC;QAC3C,CAAC;QACD,OAAO,WAAW,CAAC,QAAQ,CAAC;IAC9B,CAAC;IAED,SAAS,CAAC,QAAgB;QACxB,MAAM,GAAG,GAAG,KAAK,EAAE,CAAC;QACpB,IAAI,MAAM,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAE5C,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,GAAG;gBACP,MAAM,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,EAAE,GAAG,GAAG,MAAM,EAAE;gBAC3C,GAAG,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,EAAE,GAAG,GAAG,UAAU,EAAE;aAC7C,CAAC;YACF,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QACzC,CAAC;QAED,IAAI,GAAG,GAAG,MAAM,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YAChC,MAAM,CAAC,MAAM,GAAG,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,EAAE,GAAG,GAAG,MAAM,EAAE,CAAC;QACtD,CAAC;QAED,IAAI,MAAM,CAAC,MAAM,CAAC,KAAK,IAAI,qBAAqB;YAAE,OAAO,KAAK,CAAC;QAC/D,MAAM,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;QACtB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,WAAW,CAAC,MAAc;QACxB,MAAM,GAAG,GAAG,KAAK,EAAE,CAAC;QACpB,IAAI,MAAM,GAAG,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAE5C,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,GAAG;gBACP,MAAM,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,EAAE,GAAG,GAAG,MAAM,EAAE;gBAC3C,GAAG,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,EAAE,GAAG,GAAG,UAAU,EAAE;aAC7C,CAAC;YACF,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACzC,CAAC;QAED,IAAI,GAAG,GAAG,MAAM,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC;YAC7B,MAAM,CAAC,GAAG,GAAG,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,EAAE,GAAG,GAAG,UAAU,EAAE,CAAC;QACvD,CAAC;QAED,IAAI,MAAM,CAAC,GAAG,CAAC,KAAK,IAAI,oBAAoB;YAAE,OAAO,KAAK,CAAC;QAC3D,MAAM,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC;QACnB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO,CAAC,EAAU;QAChB,MAAM,GAAG,GAAG,KAAK,EAAE,CAAC;QACpB,IAAI,KAAK,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAEnC,IAAI,CAAC,KAAK,IAAI,GAAG,GAAG,KAAK,CAAC,OAAO,EAAE,CAAC;YAClC,KAAK,GAAG,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,EAAE,GAAG,GAAG,MAAM,EAAE,CAAC;YAC5C,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC;QAChC,CAAC;QAED,IAAI,KAAK,CAAC,KAAK,IAAI,eAAe;YAAE,OAAO,KAAK,CAAC;QACjD,KAAK,CAAC,KAAK,EAAE,CAAC;QACd,OAAO,IAAI,CAAC;IACd,CAAC;CACF;AAtED,kCAsEC"}

package/dist/server/security/sandbox.d.ts

@@ -0,0 +1,7 @@
+import { z } from 'zod';
+export declare class Sandbox {
+    static validate<T>(schema: z.ZodType<T>, input: unknown): T;
+    static validateUrl(raw: string): URL;
+    static sanitizeApiResponse(text: string): string;
+}
+//# sourceMappingURL=sandbox.d.ts.map

package/dist/server/security/sandbox.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sandbox.d.ts","sourceRoot":"","sources":["../../../src/server/security/sandbox.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAIxB,qBAAa,OAAO;IAClB,MAAM,CAAC,QAAQ,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,OAAO,GAAG,CAAC;IAY3D,MAAM,CAAC,WAAW,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG;IAcpC,MAAM,CAAC,mBAAmB,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM;CAQjD"}

package/dist/server/security/sandbox.js

@@ -0,0 +1,42 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Sandbox = void 0;
+// Sandboxed input validation layer — all tool inputs pass through here before execution.
+// No eval(), no dynamic require(), no raw SQL (N4 enforcement at schema layer).
+class Sandbox {
+    static validate(schema, input) {
+        const result = schema.safeParse(input);
+        if (!result.success) {
+            const issues = result.error.issues
+                .map((i) => `${i.path.join('.')}: ${i.message}`)
+                .join('; ');
+            throw new Error(`Input validation failed: ${issues}`);
+        }
+        return result.data;
+    }
+    // Ensure URL is http/https only — no file://, data://, javascript:
+    static validateUrl(raw) {
+        let url;
+        try {
+            url = new URL(raw);
+        }
+        catch {
+            throw new Error(`Invalid URL: ${raw}`);
+        }
+        if (url.protocol !== 'http:' && url.protocol !== 'https:') {
+            throw new Error(`Disallowed URL protocol: ${url.protocol}`);
+        }
+        return url;
+    }
+    // Strip any response content that looks like a prompt injection attempt
+    static sanitizeApiResponse(text) {
+        // Remove common injection markers
+        return text
+            .replace(/<\/?system>/gi, '')
+            .replace(/\[INST\]/gi, '')
+            .replace(/\[\/?INST\]/gi, '')
+            .slice(0, 50_000); // Hard cap on returned content size
+    }
+}
+exports.Sandbox = Sandbox;
+//# sourceMappingURL=sandbox.js.map

package/dist/server/security/sandbox.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sandbox.js","sourceRoot":"","sources":["../../../src/server/security/sandbox.ts"],"names":[],"mappings":";;;AAEA,yFAAyF;AACzF,gFAAgF;AAChF,MAAa,OAAO;IAClB,MAAM,CAAC,QAAQ,CAAI,MAAoB,EAAE,KAAc;QACrD,MAAM,MAAM,GAAG,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QACvC,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACpB,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,MAAM;iBAC/B,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,OAAO,EAAE,CAAC;iBAC/C,IAAI,CAAC,IAAI,CAAC,CAAC;YACd,MAAM,IAAI,KAAK,CAAC,4BAA4B,MAAM,EAAE,CAAC,CAAC;QACxD,CAAC;QACD,OAAO,MAAM,CAAC,IAAI,CAAC;IACrB,CAAC;IAED,mEAAmE;IACnE,MAAM,CAAC,WAAW,CAAC,GAAW;QAC5B,IAAI,GAAQ,CAAC;QACb,IAAI,CAAC;YACH,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;QACrB,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,KAAK,CAAC,gBAAgB,GAAG,EAAE,CAAC,CAAC;QACzC,CAAC;QACD,IAAI,GAAG,CAAC,QAAQ,KAAK,OAAO,IAAI,GAAG,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAC1D,MAAM,IAAI,KAAK,CAAC,4BAA4B,GAAG,CAAC,QAAQ,EAAE,CAAC,CAAC;QAC9D,CAAC;QACD,OAAO,GAAG,CAAC;IACb,CAAC;IAED,wEAAwE;IACxE,MAAM,CAAC,mBAAmB,CAAC,IAAY;QACrC,kCAAkC;QAClC,OAAO,IAAI;aACR,OAAO,CAAC,eAAe,EAAE,EAAE,CAAC;aAC5B,OAAO,CAAC,YAAY,EAAE,EAAE,CAAC;aACzB,OAAO,CAAC,eAAe,EAAE,EAAE,CAAC;aAC5B,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,oCAAoC;IAC3D,CAAC;CACF;AAnCD,0BAmCC"}

package/dist/server/tools/agentcard.d.ts

@@ -0,0 +1,3 @@
+import type { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+export declare function registerAgentCard(server: McpServer): void;
+//# sourceMappingURL=agentcard.d.ts.map

package/dist/server/tools/agentcard.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"agentcard.d.ts","sourceRoot":"","sources":["../../../src/server/tools/agentcard.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AA0BzE,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,SAAS,GAAG,IAAI,CA0GzD"}

package/dist/server/tools/agentcard.js

@@ -0,0 +1,118 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.registerAgentCard = registerAgentCard;
+const zod_1 = require("zod");
+const x402_js_1 = require("../payments/x402.js");
+const rate_limit_js_1 = require("../security/rate-limit.js");
+const sandbox_js_1 = require("../security/sandbox.js");
+const audit_js_1 = require("../security/audit.js");
+const pricing_js_1 = require("../registry/pricing.js");
+const agentcard_js_1 = require("../../lib/sml-api/agentcard.js");
+const LookupSchema = zod_1.z.object({
+    identifier: zod_1.z.string().min(1),
+});
+const VerifySchema = zod_1.z.object({
+    wallet_address: zod_1.z.string().min(10),
+    message: zod_1.z.string().min(1),
+    signature: zod_1.z.string().min(1),
+});
+const MintSchema = zod_1.z.object({
+    wallet_address: zod_1.z.string().min(10),
+    name: zod_1.z.string().min(1).max(64),
+    did: zod_1.z.string().optional(),
+    metadata: zod_1.z.record(zod_1.z.unknown()).optional(),
+    payment_wallet: zod_1.z.string().optional(),
+});
+function registerAgentCard(server) {
+    const audit = audit_js_1.AuditLogger.getInstance();
+    // ── FREE: agentcard_lookup ─────────────────────────────────────────────────
+    server.tool('agentcard_lookup', {
+        identifier: zod_1.z.string().describe('Agent wallet address or DID to look up.'),
+    }, async (rawArgs) => {
+        const { identifier } = sandbox_js_1.Sandbox.validate(LookupSchema, rawArgs);
+        if (!rate_limit_js_1.RateLimiter.getInstance().checkTool('agentcard_lookup')) {
+            return { content: [{ type: 'text', text: JSON.stringify({ error: 'rate_limit_exceeded', retry_after: 60 }) }], isError: true };
+        }
+        try {
+            const data = await agentcard_js_1.AgentCardAPI.lookup(identifier);
+            audit.info('agentcard_lookup', { identifier });
+            return { content: [{ type: 'text', text: JSON.stringify(data) }] };
+        }
+        catch (err) {
+            return { content: [{ type: 'text', text: JSON.stringify({ error: 'api_error', message: String(err) }) }], isError: true };
+        }
+    });
+    // ── FREE: agentcard_verify ─────────────────────────────────────────────────
+    server.tool('agentcard_verify', {
+        wallet_address: zod_1.z.string().describe('Agent wallet address that signed the message.'),
+        message: zod_1.z.string().describe('Original message that was signed.'),
+        signature: zod_1.z.string().describe('Ed25519 signature (hex or base64).'),
+    }, async (rawArgs) => {
+        const args = sandbox_js_1.Sandbox.validate(VerifySchema, rawArgs);
+        if (!rate_limit_js_1.RateLimiter.getInstance().checkTool('agentcard_verify')) {
+            return { content: [{ type: 'text', text: JSON.stringify({ error: 'rate_limit_exceeded', retry_after: 60 }) }], isError: true };
+        }
+        try {
+            const data = await agentcard_js_1.AgentCardAPI.verify({
+                walletAddress: args.wallet_address,
+                message: args.message,
+                signature: args.signature,
+            });
+            audit.info('agentcard_verify', { wallet_address: args.wallet_address });
+            return { content: [{ type: 'text', text: JSON.stringify(data) }] };
+        }
+        catch (err) {
+            return { content: [{ type: 'text', text: JSON.stringify({ error: 'api_error', message: String(err) }) }], isError: true };
+        }
+    });
+    // ── PAID: agentcard_mint (0.01 USDC) ──────────────────────────────────────
+    server.tool('agentcard_mint', {
+        wallet_address: zod_1.z.string().describe('XRPL wallet address for the new agent identity.'),
+        name: zod_1.z.string().describe('Human-readable agent name (max 64 chars).'),
+        did: zod_1.z.string().describe('Optional DID (decentralized identifier) for the agent.'),
+        metadata: zod_1.z.record(zod_1.z.unknown()).describe('Optional metadata object (capabilities, version, etc.).'),
+        payment_wallet: zod_1.z.string().describe('Wallet to pay x402 fee from (defaults to wallet_address).'),
+    }, async (rawArgs) => {
+        const args = sandbox_js_1.Sandbox.validate(MintSchema, rawArgs);
+        const paymentWallet = args.payment_wallet ?? args.wallet_address;
+        if (!rate_limit_js_1.RateLimiter.getInstance().checkTool('agentcard_mint')) {
+            return { content: [{ type: 'text', text: JSON.stringify({ error: 'rate_limit_exceeded', retry_after: 60 }) }], isError: true };
+        }
+        await pricing_js_1.PriceRegistry.getInstance().seedDefaults();
+        const price = await pricing_js_1.PriceRegistry.getInstance().getPrice('agentcard_mint');
+        if (!price) {
+            return { content: [{ type: 'text', text: JSON.stringify({ error: 'price_unavailable' }) }], isError: true };
+        }
+        let payment;
+        try {
+            payment = await (0, x402_js_1.executeX402Payment)({ price, currency: 'USDC', toolName: 'agentcard_mint', walletAddress: paymentWallet });
+        }
+        catch (err) {
+            audit.warn('agentcard_mint_payment_fail', { error: String(err) });
+            return { content: [{ type: 'text', text: JSON.stringify({ error: 'payment_failed', message: String(err) }) }], isError: true };
+        }
+        try {
+            const data = await agentcard_js_1.AgentCardAPI.mint({
+                walletAddress: args.wallet_address,
+                name: args.name,
+                did: args.did,
+                metadata: args.metadata,
+            });
+            audit.info('agentcard_mint_success', { name: args.name, receiptId: payment.receiptId });
+            return {
+                content: [{
+                        type: 'text',
+                        text: JSON.stringify({
+                            data,
+                            _meta: { receipt_id: payment.receiptId, tx_hash: payment.txHash, chain: payment.chain, amount_paid: `${payment.amountPaid} ${payment.currency}`, timestamp: payment.timestamp },
+                        }),
+                    }],
+            };
+        }
+        catch (err) {
+            audit.error('agentcard_mint_api_fail', { error: String(err) });
+            return { content: [{ type: 'text', text: JSON.stringify({ error: 'api_error', message: String(err) }) }], isError: true };
+        }
+    });
+}
+//# sourceMappingURL=agentcard.js.map

package/dist/server/tools/agentcard.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"agentcard.js","sourceRoot":"","sources":["../../../src/server/tools/agentcard.ts"],"names":[],"mappings":";;AA2BA,8CA0GC;AArID,6BAAwB;AAExB,iDAAyD;AACzD,6DAAwD;AACxD,uDAAiD;AACjD,mDAAmD;AACnD,uDAAuD;AACvD,iEAA8D;AAE9D,MAAM,YAAY,GAAG,OAAC,CAAC,MAAM,CAAC;IAC5B,UAAU,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;CAC9B,CAAC,CAAC;AAEH,MAAM,YAAY,GAAG,OAAC,CAAC,MAAM,CAAC;IAC5B,cAAc,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC;IAClC,OAAO,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC1B,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;CAC7B,CAAC,CAAC;AAEH,MAAM,UAAU,GAAG,OAAC,CAAC,MAAM,CAAC;IAC1B,cAAc,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC;IAClC,IAAI,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,EAAE,CAAC;IAC/B,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,QAAQ,EAAE,OAAC,CAAC,MAAM,CAAC,OAAC,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,EAAE;IAC1C,cAAc,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CACtC,CAAC,CAAC;AAEH,SAAgB,iBAAiB,CAAC,MAAiB;IACjD,MAAM,KAAK,GAAG,sBAAW,CAAC,WAAW,EAAE,CAAC;IAExC,8EAA8E;IAC9E,MAAM,CAAC,IAAI,CACT,kBAAkB,EAClB;QACE,UAAU,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,yCAAyC,CAAC;KAC3E,EACD,KAAK,EAAE,OAAO,EAAE,EAAE;QAChB,MAAM,EAAE,UAAU,EAAE,GAAG,oBAAO,CAAC,QAAQ,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC;QAC/D,IAAI,CAAC,2BAAW,CAAC,WAAW,EAAE,CAAC,SAAS,CAAC,kBAAkB,CAAC,EAAE,CAAC;YAC7D,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,qBAAqB,EAAE,WAAW,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;QACjI,CAAC;QACD,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,2BAAY,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;YACnD,KAAK,CAAC,IAAI,CAAC,kBAAkB,EAAE,EAAE,UAAU,EAAE,CAAC,CAAC;YAC/C,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC;QACrE,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,WAAW,EAAE,OAAO,EAAE,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;QAC5H,CAAC;IACH,CAAC,CACF,CAAC;IAEF,8EAA8E;IAC9E,MAAM,CAAC,IAAI,CACT,kBAAkB,EAClB;QACE,cAAc,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,+CAA+C,CAAC;QACpF,OAAO,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,mCAAmC,CAAC;QACjE,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,oCAAoC,CAAC;KACrE,EACD,KAAK,EAAE,OAAO,EAAE,EAAE;QAChB,MAAM,IAAI,GAAG,oBAAO,CAAC,QAAQ,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC;QACrD,IAAI,CAAC,2BAAW,CAAC,WAAW,EAAE,CAAC,SAAS,CAAC,kBAAkB,CAAC,EAAE,CAAC;YAC7D,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,qBAAqB,EAAE,WAAW,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;QACjI,CAAC;QACD,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,2BAAY,CAAC,MAAM,CAAC;gBACrC,aAAa,EAAE,IAAI,CAAC,cAAc;gBAClC,OAAO,EAAE,IAAI,CAAC,OAAO;gBACrB,SAAS,EAAE,IAAI,CAAC,SAAS;aAC1B,CAAC,CAAC;YACH,KAAK,CAAC,IAAI,CAAC,kBAAkB,EAAE,EAAE,cAAc,EAAE,IAAI,CAAC,cAAc,EAAE,CAAC,CAAC;YACxE,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC;QACrE,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,WAAW,EAAE,OAAO,EAAE,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;QAC5H,CAAC;IACH,CAAC,CACF,CAAC;IAEF,6EAA6E;IAC7E,MAAM,CAAC,IAAI,CACT,gBAAgB,EAChB;QACE,cAAc,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,iDAAiD,CAAC;QACtF,IAAI,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,2CAA2C,CAAC;QACtE,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,wDAAwD,CAAC;QAClF,QAAQ,EAAE,OAAC,CAAC,MAAM,CAAC,OAAC,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,yDAAyD,CAAC;QACnG,cAAc,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,2DAA2D,CAAC;KACjG,EACD,KAAK,EAAE,OAAO,EAAE,EAAE;QAChB,MAAM,IAAI,GAAG,oBAAO,CAAC,QAAQ,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;QACnD,MAAM,aAAa,GAAG,IAAI,CAAC,cAAc,IAAI,IAAI,CAAC,cAAc,CAAC;QAEjE,IAAI,CAAC,2BAAW,CAAC,WAAW,EAAE,CAAC,SAAS,CAAC,gBAAgB,CAAC,EAAE,CAAC;YAC3D,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,qBAAqB,EAAE,WAAW,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;QACjI,CAAC;QAED,MAAM,0BAAa,CAAC,WAAW,EAAE,CAAC,YAAY,EAAE,CAAC;QACjD,MAAM,KAAK,GAAG,MAAM,0BAAa,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,gBAAgB,CAAC,CAAC;QAC3E,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC,EAAE,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;QAC9G,CAAC;QAED,IAAI,OAAO,CAAC;QACZ,IAAI,CAAC;YACH,OAAO,GAAG,MAAM,IAAA,4BAAkB,EAAC,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,gBAAgB,EAAE,aAAa,EAAE,aAAa,EAAE,CAAC,CAAC;QAC5H,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,KAAK,CAAC,IAAI,CAAC,6BAA6B,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YAClE,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,gBAAgB,EAAE,OAAO,EAAE,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;QACjI,CAAC;QAED,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,2BAAY,CAAC,IAAI,CAAC;gBACnC,aAAa,EAAE,IAAI,CAAC,cAAc;gBAClC,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,GAAG,EAAE,IAAI,CAAC,GAAG;gBACb,QAAQ,EAAE,IAAI,CAAC,QAAQ;aACxB,CAAC,CAAC;YACH,KAAK,CAAC,IAAI,CAAC,wBAAwB,EAAE,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,SAAS,EAAE,OAAO,CAAC,SAAS,EAAE,CAAC,CAAC;YACxF,OAAO;gBACL,OAAO,EAAE,CAAC;wBACR,IAAI,EAAE,MAAM;wBACZ,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;4BACnB,IAAI;4BACJ,KAAK,EAAE,EAAE,UAAU,EAAE,OAAO,CAAC,SAAS,EAAE,OAAO,EAAE,OAAO,CAAC,MAAM,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE,WAAW,EAAE,GAAG,OAAO,CAAC,UAAU,IAAI,OAAO,CAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,OAAO,CAAC,SAAS,EAAE;yBAChL,CAAC;qBACH,CAAC;aACH,CAAC;QACJ,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,KAAK,CAAC,KAAK,CAAC,yBAAyB,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YAC/D,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,WAAW,EAAE,OAAO,EAAE,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;QAC5H,CAAC;IACH,CAAC,CACF,CAAC;AACJ,CAAC"}

package/dist/server/tools/apm-execute.d.ts

@@ -0,0 +1,3 @@
+import type { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+export declare function registerApmExecute(server: McpServer): void;
+//# sourceMappingURL=apm-execute.d.ts.map

package/dist/server/tools/apm-execute.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"apm-execute.d.ts","sourceRoot":"","sources":["../../../src/server/tools/apm-execute.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAuBzE,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,SAAS,GAAG,IAAI,CA8E1D"}

package/dist/server/tools/apm-execute.js

@@ -0,0 +1,94 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.registerApmExecute = registerApmExecute;
+const zod_1 = require("zod");
+const x402_js_1 = require("../payments/x402.js");
+const rate_limit_js_1 = require("../security/rate-limit.js");
+const sandbox_js_1 = require("../security/sandbox.js");
+const audit_js_1 = require("../security/audit.js");
+const quote_js_1 = require("../apm/quote.js");
+const execute_js_1 = require("../apm/execute.js");
+const ExecuteSchema = zod_1.z.object({
+    quote_canonical: zod_1.z.string().min(2),
+    quote_signature: zod_1.z.string().min(2),
+    tool: zod_1.z.string().min(1),
+    wallet_address: zod_1.z.string().min(1),
+    symbol: zod_1.z.string().optional(),
+});
+const ok = (p) => ({ content: [{ type: 'text', text: JSON.stringify(p, null, 2) }] });
+const fail = (error, extra = {}) => ({
+    content: [{ type: 'text', text: JSON.stringify({ error, ...extra }) }],
+    isError: true,
+});
+function registerApmExecute(server) {
+    const audit = audit_js_1.AuditLogger.getInstance();
+    server.tool('apm_execute', "Execute a tool recommended by apm_negotiate under its price-locked signed quote, collecting the agreed brokerage. Pass the quote's `canonical` + `signature` (from the Service Capability Contract), the tool name, and any args (e.g. `symbol`). Charges the locked price + brokerage, runs the tool, returns the result. Requires APM_QUOTE_SECRET on the gateway.", {
+        quote_canonical: zod_1.z.string().describe('The `quote.canonical` string from apm_negotiate (mode=contract).'),
+        quote_signature: zod_1.z.string().describe('The `quote.signature` from apm_negotiate — proves the SML price-lock.'),
+        tool: zod_1.z.string().describe('Tool to execute. Must match the quote and be brokerable (e.g. squeezeos_council).'),
+        wallet_address: zod_1.z.string().describe('Wallet that pays the brokered total.'),
+        symbol: zod_1.z.string().optional().describe('Ticker symbol, when the tool needs one (e.g. squeezeos_council).'),
+    }, async (rawArgs) => {
+        const args = sandbox_js_1.Sandbox.validate(ExecuteSchema, rawArgs);
+        if (!rate_limit_js_1.RateLimiter.getInstance().checkTool('apm_execute')) {
+            return fail('rate_limit_exceeded', { retry_after: 60 });
+        }
+        // 1. Verify the price-locked quote (needs APM_QUOTE_SECRET set on the gateway).
+        const check = (0, quote_js_1.verifyAndParseQuote)(args.quote_canonical, args.quote_signature);
+        if (!check.valid || !check.quote) {
+            return fail('quote_invalid', {
+                reason: check.reason,
+                hint: 'Signature failed. Ensure APM_QUOTE_SECRET is set and you passed the exact canonical+signature from apm_negotiate (mode=contract).',
+            });
+        }
+        if (check.expired) {
+            return fail('quote_expired', { expires_at: check.quote.expires_at, hint: 'Re-run apm_negotiate (mode=contract) for a fresh quote.' });
+        }
+        if (check.quote.tool !== args.tool) {
+            return fail('tool_quote_mismatch', { quote_tool: check.quote.tool, requested_tool: args.tool });
+        }
+        if (!(0, execute_js_1.isBrokerable)(args.tool)) {
+            return fail('tool_not_brokerable', { tool: args.tool, brokerable: (0, execute_js_1.brokerableTools)(), hint: 'apm_execute brokers the live SqueezeOS family today; more tools coming.' });
+        }
+        // 2. Collect locked price + brokerage (amount integrity = the SML-signed quote).
+        const total = (0, execute_js_1.brokeredTotal)(check.quote.price_usd, check.quote.brokerage_commission_pct);
+        let payment;
+        try {
+            payment = await (0, x402_js_1.executeBrokeredPayment)({ amount: total, toolName: `apm_execute:${args.tool}` });
+        }
+        catch (err) {
+            audit.warn('apm_execute_payment_fail', { error: String(err) });
+            return fail('payment_failed', { message: String(err) });
+        }
+        // 3. Run the brokered tool through SML's own paid path.
+        try {
+            const data = await execute_js_1.BROKERABLE_TOOLS[args.tool]({ symbol: args.symbol, wallet_address: args.wallet_address });
+            audit.info('apm_execute_success', { tool: args.tool, receiptId: payment.receiptId });
+            return ok({
+                tool: args.tool,
+                data,
+                brokerage: {
+                    locked_price_usd: check.quote.price_usd,
+                    commission_pct: check.quote.brokerage_commission_pct,
+                    total_charged_usd: total,
+                },
+                _meta: {
+                    receipt_id: payment.receiptId,
+                    tx_hash: payment.txHash,
+                    chain: payment.chain,
+                    amount_paid: `${payment.amountPaid} ${payment.currency}`,
+                    timestamp: payment.timestamp,
+                },
+            });
+        }
+        catch (err) {
+            audit.error('apm_execute_tool_fail', { tool: args.tool, error: String(err) });
+            return fail('tool_execution_failed', {
+                message: String(err),
+                receipt_id: payment.receiptId,
+                note: 'Payment was collected; the brokered tool call failed (e.g. backend offline). Receipt retained.',
+            });
+        }
+    });
+}
+//# sourceMappingURL=apm-execute.js.map

package/dist/server/tools/apm-execute.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"apm-execute.js","sourceRoot":"","sources":["../../../src/server/tools/apm-execute.ts"],"names":[],"mappings":";;AAwBA,gDA8EC;AAtGD,6BAAwB;AAExB,iDAA6D;AAC7D,6DAAwD;AACxD,uDAAiD;AACjD,mDAAmD;AACnD,8CAAsD;AACtD,kDAAmG;AAEnG,MAAM,aAAa,GAAG,OAAC,CAAC,MAAM,CAAC;IAC7B,eAAe,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAClC,eAAe,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAClC,IAAI,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACvB,cAAc,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACjC,MAAM,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CAC9B,CAAC,CAAC;AAGH,MAAM,EAAE,GAAG,CAAC,CAAU,EAAc,EAAE,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC;AAC3G,MAAM,IAAI,GAAG,CAAC,KAAa,EAAE,QAAiC,EAAE,EAAc,EAAE,CAAC,CAAC;IAChF,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,GAAG,KAAK,EAAE,CAAC,EAAE,CAAC;IACtE,OAAO,EAAE,IAAI;CACd,CAAC,CAAC;AAEH,SAAgB,kBAAkB,CAAC,MAAiB;IAClD,MAAM,KAAK,GAAG,sBAAW,CAAC,WAAW,EAAE,CAAC;IAExC,MAAM,CAAC,IAAI,CACT,aAAa,EACb,sWAAsW,EACtW;QACE,eAAe,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,kEAAkE,CAAC;QACxG,eAAe,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,uEAAuE,CAAC;QAC7G,IAAI,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,mFAAmF,CAAC;QAC9G,cAAc,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,sCAAsC,CAAC;QAC3E,MAAM,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,kEAAkE,CAAC;KAC3G,EACD,KAAK,EAAE,OAAO,EAAuB,EAAE;QACrC,MAAM,IAAI,GAAG,oBAAO,CAAC,QAAQ,CAAC,aAAa,EAAE,OAAO,CAAC,CAAC;QAEtD,IAAI,CAAC,2BAAW,CAAC,WAAW,EAAE,CAAC,SAAS,CAAC,aAAa,CAAC,EAAE,CAAC;YACxD,OAAO,IAAI,CAAC,qBAAqB,EAAE,EAAE,WAAW,EAAE,EAAE,EAAE,CAAC,CAAC;QAC1D,CAAC;QAED,gFAAgF;QAChF,MAAM,KAAK,GAAG,IAAA,8BAAmB,EAAC,IAAI,CAAC,eAAe,EAAE,IAAI,CAAC,eAAe,CAAC,CAAC;QAC9E,IAAI,CAAC,KAAK,CAAC,KAAK,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;YACjC,OAAO,IAAI,CAAC,eAAe,EAAE;gBAC3B,MAAM,EAAE,KAAK,CAAC,MAAM;gBACpB,IAAI,EAAE,mIAAmI;aAC1I,CAAC,CAAC;QACL,CAAC;QACD,IAAI,KAAK,CAAC,OAAO,EAAE,CAAC;YAClB,OAAO,IAAI,CAAC,eAAe,EAAE,EAAE,UAAU,EAAE,KAAK,CAAC,KAAK,CAAC,UAAU,EAAE,IAAI,EAAE,yDAAyD,EAAE,CAAC,CAAC;QACxI,CAAC;QACD,IAAI,KAAK,CAAC,KAAK,CAAC,IAAI,KAAK,IAAI,CAAC,IAAI,EAAE,CAAC;YACnC,OAAO,IAAI,CAAC,qBAAqB,EAAE,EAAE,UAAU,EAAE,KAAK,CAAC,KAAK,CAAC,IAAI,EAAE,cAAc,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;QAClG,CAAC;QACD,IAAI,CAAC,IAAA,yBAAY,EAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YAC7B,OAAO,IAAI,CAAC,qBAAqB,EAAE,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,UAAU,EAAE,IAAA,4BAAe,GAAE,EAAE,IAAI,EAAE,yEAAyE,EAAE,CAAC,CAAC;QAC1K,CAAC;QAED,iFAAiF;QACjF,MAAM,KAAK,GAAG,IAAA,0BAAa,EAAC,KAAK,CAAC,KAAK,CAAC,SAAS,EAAE,KAAK,CAAC,KAAK,CAAC,wBAAwB,CAAC,CAAC;QACzF,IAAI,OAAO,CAAC;QACZ,IAAI,CAAC;YACH,OAAO,GAAG,MAAM,IAAA,gCAAsB,EAAC,EAAE,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,eAAe,IAAI,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;QAClG,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,KAAK,CAAC,IAAI,CAAC,0BAA0B,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YAC/D,OAAO,IAAI,CAAC,gBAAgB,EAAE,EAAE,OAAO,EAAE,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAC1D,CAAC;QAED,wDAAwD;QACxD,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,6BAAgB,CAAC,IAAI,CAAC,IAAI,CAAE,CAAC,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,cAAc,EAAE,IAAI,CAAC,cAAc,EAAE,CAAC,CAAC;YAC9G,KAAK,CAAC,IAAI,CAAC,qBAAqB,EAAE,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,SAAS,EAAE,OAAO,CAAC,SAAS,EAAE,CAAC,CAAC;YACrF,OAAO,EAAE,CAAC;gBACR,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,IAAI;gBACJ,SAAS,EAAE;oBACT,gBAAgB,EAAE,KAAK,CAAC,KAAK,CAAC,SAAS;oBACvC,cAAc,EAAE,KAAK,CAAC,KAAK,CAAC,wBAAwB;oBACpD,iBAAiB,EAAE,KAAK;iBACzB;gBACD,KAAK,EAAE;oBACL,UAAU,EAAE,OAAO,CAAC,SAAS;oBAC7B,OAAO,EAAE,OAAO,CAAC,MAAM;oBACvB,KAAK,EAAE,OAAO,CAAC,KAAK;oBACpB,WAAW,EAAE,GAAG,OAAO,CAAC,UAAU,IAAI,OAAO,CAAC,QAAQ,EAAE;oBACxD,SAAS,EAAE,OAAO,CAAC,SAAS;iBAC7B;aACF,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,KAAK,CAAC,KAAK,CAAC,uBAAuB,EAAE,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,KAAK,EAAE,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YAC9E,OAAO,IAAI,CAAC,uBAAuB,EAAE;gBACnC,OAAO,EAAE,MAAM,CAAC,GAAG,CAAC;gBACpB,UAAU,EAAE,OAAO,CAAC,SAAS;gBAC7B,IAAI,EAAE,gGAAgG;aACvG,CAAC,CAAC;QACL,CAAC;IACH,CAAC,CACF,CAAC;AACJ,CAAC"}

package/dist/server/tools/apm.d.ts

@@ -0,0 +1,3 @@
+import type { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+export declare function registerApm(server: McpServer): void;
+//# sourceMappingURL=apm.d.ts.map

package/dist/server/tools/apm.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"apm.d.ts","sourceRoot":"","sources":["../../../src/server/tools/apm.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAyBzE,wBAAgB,WAAW,CAAC,MAAM,EAAE,SAAS,GAAG,IAAI,CA8HnD"}